IoT and Security



  • As more popular as IoT gets as more we do have to be worried about security.

    An article about hijacking routers with default passwords & username showed that, one of the first thing we should do is, to change default username (if possible) and set a secure password.

    What is good for routers should be right for IoT devices. Especially if they run a powerful router software as the omegas do (openWRT/LEDE-Project).

    I don't know if articles, especially when they are from Sophos, not have the aim to sell their products. Anyway i would like to share this one to encourage the community, to be open about security and maybe start a discussion how we can secure our devices on a simple way.

    My first few suggestions would be:

    1. Change username (if possible/use full) and password as soon as a new device gets online. LEDE-Project not sets a password and displays a message to change it imediatly. Maybe a idea for Onion OS?!

    2. Do the same with wireless credentials as long you find the default in manuals online for everyone accessible.

    3. Alternatively we can deactivate the login with username and use public-key based authentication only.

    In this case (3) i would like to know what a healthy way to deal with that? If I access with several computers, do i need keys for everyone? How to manage this keys without creating a new security hole and without loosing the control of it.

    Maybe someone who does key base auth. has some great tip's ;)



  • @Luciano-S. said in IoT and Security:

    In this case (3) i would like to know what a healthy way to deal with that?

    In principle you can use one key for multiple devices and multiple keys on one device, so you're pretty much free in designing your setup.

    Easiest way would be to have one key (preferably with password) and distribute it accross your devices. As long as you trust all of your devices this is somewhat reasonable.

    You can also use one key per device. In this case you're able to remove a key if you loose the device/key-file and password. Since you can use any key to add/remove others (at least as long as you don't implement complex permission control) there is no real need for special control stuff. You can of course add an additional key, put it on a stick and lock it away just to be sure to have access.

    I mostly use a mix - I got a backup key locked away and a HSM (something like a SSH-key on a USB-stick) which I carry arround and share across devices.


Log in to reply
 

Looks like your connection to Onion Community was lost, please wait while we try to reconnect.